How to react to IDS 'Deauth flood' Signature attack ?

Unanswered Question
Aug 10th, 2010

I got an IDS alert from my WCS system. As I tried to troubleshoot the alert I had to recognize, to not beeing really aware of a work order on security reactions.

Maybe some engineers in this community do have better how to's / suggestions or useful tools on reaction for security alerts.

Following alert:

IDS 'Deauth flood' Signature attack detected on AP '<ap name>' protocol '802.11b/g' on Controller '<controller-ip>'. The Signature description is 'Deauthentication flood', with precedence '9'. The channel number is '11', the number of detections is '500', and one of potentially several attackers' mac addresses is '<attacker-mac>'.

My reaktion:

1.) Got alarm details and saved them via screenshot

2.) Watched for alarm history to get informed how often the attack was logged. (first attack was last week at same day in week)

3.) tried to localize the attacker but only on access-point got the alert at about -93 dbm rssi. Location is not very accurate with only on access-point

4.) because there is no one wireless client in that location / access-point I decided to set the attacked access-poin to monitor mode, to maybe get more or further details on attacks.

5.) further reaktion am thinking about are

     - set more access-points to monitor mode, maybe I will get a more accurate attacker location

     - infrastrukture security personell could watch the location for foreign people with notebooks or other wireless equipment. But I think this is not very helpful because of very small wireless tools or maybe some hidden installed equipment or maybe an attacking employee.

     - watching for measurement tools to locate attackers very accurate.

     - other access-pont modes e.g. sniffer or rogue-detector

     - look for some containment features on WCS to the attacking client

I have WCS and WLC with AIR-LAP1142 but no MSE with wIPS or location.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rollin Kibbe Thu, 08/12/2010 - 07:33

Hi aheilmaier:

It sounds like you have a reasonable plan in place to respond.  There was no mention of what version of controller software you're using;  historically, there were some bugs in this IDS stuff that would cause false alarms.  It's also important to make sure that your controller is configured correctly to not falsely consider your own APs as attackers.  There are instances when an LWAPP/CAPWAP AP will send out several disassociate/deauthenticate messages in a row, and if AP Authentication or MFP aren't configured correctly, IDS will misidentify the controller's own APs.  TAC should be able to help you check that out, just so you know that you're getting only good IDS information on deauth floods.

As well, if you had a PLUS license on your WCS, you'd be able to locate one client/tag/rogue at a time by going to the entry for them on a list (like Monitor > Clients,) clicking on the name (or ) to bring up the details page for that client, then choosing "Recent Map" from the dropdown list.

Best of luck finding your attacker!


Rollin Kibbe

Network Management Systems Team


This Discussion

Related Content



Trending Topics - Security & Network